Cisco Cisco Email Security Appliance C170 Guia Do Utilizador

You can also use a RADIUS directory to authenticate users and assign groups of users to Cisco IronPort 
roles. The RADIUS server should support the CLASS attribute, which AsyncOS uses to assign users in 
the RADIUS directory to Cisco IronPort user roles. AsyncOS supports two authentication protocols for 
communicating with the RADIUS server: Password Authentication Protocol (PAP) and Challenge 
Handshake Authentication Protocol (CHAP).

To assign RADIUS users to Cisco IronPort user roles, first set the CLASS attribute on the RADIUS 
server with a string value of 

<radius-group>

, which will be mapped to Cisco IronPort user roles. The 

CLASS attribute may contain letters, numbers, and a dash, but cannot start with a dash. AsyncOS does 
not support multiple values in the CLASS attribute. RADIUS users belonging to a group without a 
CLASS attribute or an unmapped CLASS attribute cannot log into the appliance.

If the appliance cannot communicate with the RADIUS server, the user can log in with a local user 
account on the appliance.

If an external user changes the user role for their RADIUS group, the user should log out of the appliance 
and then log back in. The user will have the permissions of their new role.

To enable external authentication using RADIUS:

On the System Administration > Users page, click Enable. The Edit External Authentication page is 
displayed.

Select the Enable External Authentication check box.

Select RADIUS for the authentication type.

Enter the host name for the RADIUS server.

Enter the port number for the RADIUS server. The default port number is 1812.

Enter the Shared Secret password for the RADIUS server.

When enabling external authentication for a cluster of Cisco IronPort appliances, enter the same 
Shared Secret password on all appliances in the cluster.

Enter the number of seconds that the appliance waits for a response from the server before timing out.